Security Is Simple: Only Use Perfect Softwarehttp://blogs.msdn.com/b/crispincowan/en-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)ShmooCon and Interviewhttp://blogs.msdn.com/b/crispincowan/archive/2009/02/25/shmoocon-and-interview.aspxThu, 26 Feb 2009 00:54:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:9444647crispincowan1http://blogs.msdn.com/b/crispincowan/rsscomments.aspx?WeblogPostID=9444647http://blogs.msdn.com/b/crispincowan/archive/2009/02/25/shmoocon-and-interview.aspx#comments<P>In early February, I gave a talk at <A href="http://shmoocon.org/" mce_href="http://shmoocon.org/">ShmooCon</A>.The <A href="http://www.acm.uiuc.edu/conference/2008/video/UIUC-ACM-RP08-Cowan.wmv" mce_href="http://www.acm.uiuc.edu/conference/2008/video/UIUC-ACM-RP08-Cowan.wmv">content</A> was the same as my talk <SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; FONT-SIZE: 11pt; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA">at <A href="http://www.acm.uiuc.edu/conference/2008/speakers#CrispinCowan" mce_href="http://www.acm.uiuc.edu/conference/2008/speakers#CrispinCowan"><FONT color=#0000ff>ACM Reflections</FONT></A>, a student-run conference at the University of Illinois Champaign-Urbana. ShmooCon <A href="http://www.nomoose.org/?p=57" mce_href="http://www.nomoose.org/?p=57">sells out</A> anyway :) so I did not bother to blog about it.</SPAN></P>
<P><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; FONT-SIZE: 11pt; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA">&nbsp;While there, <A href="http://elladodelmal.blogspot.com/" mce_href="http://elladodelmal.blogspot.com/">Chema</A> (a Microsoft MVP, and another <A href="http://shmoocon.org/presentations-all.html#blindsql" mce_href="http://shmoocon.org/presentations-all.html#blindsql">speaker</A> at ShmooCon) asked me for a virtual interview, and it is now <A href="http://elladodelmal.blogspot.com/2009/02/entrevsita-crispin-cowan-de-microsoft.html" mce_href="http://elladodelmal.blogspot.com/2009/02/entrevsita-crispin-cowan-de-microsoft.html">live</A> on his blog.</SPAN></P><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=9444647" width="1" height="1">Speaking at PDChttp://blogs.msdn.com/b/crispincowan/archive/2008/10/22/speaking-at-pdc.aspxWed, 22 Oct 2008 20:31:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:9011437crispincowan0http://blogs.msdn.com/b/crispincowan/rsscomments.aspx?WeblogPostID=9011437http://blogs.msdn.com/b/crispincowan/archive/2008/10/22/speaking-at-pdc.aspx#commentsJust a short note to let folks know that I will be at <A title=PDC target=_blank href="http://www.microsoftpdc.com/" mce_href="http://www.microsoftpdc.com/">PDC</A> next week, giving a <A title="Windows 7: Best Practices for Developing for Windows Standard User" href="http://channel9.msdn.com/pdc2008/PC51/" mce_href="http://channel9.msdn.com/pdc2008/PC51/">talk on developing applications for standard user</A>. Much of what I have to say will be familiar to fans of things like standard user and privilege levels. The new content this time is an architectural view of the <EM>right</EM> way and the <EM>wrong</EM> way for a software developer to use an elevated DCOM object to perform privileged operations. If you are going to be at PDC, please come to my talk, or feel free to just stop me if you see me around for a chat. I should be lurking around all of Tuesday and Wednesday, including the <A title="'experts' you say? :-)" href="http://www.microsoftpdc.com/Agenda/UnSessions.aspx#ask-the-experts" mce_href="http://www.microsoftpdc.com/Agenda/UnSessions.aspx#ask-the-experts">"Ask the experts"</A> session.<div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=9011437" width="1" height="1">PDC2008Go Ahead, Make My Dayhttp://blogs.msdn.com/b/crispincowan/archive/2008/09/02/go-ahead-make-my-day.aspxWed, 03 Sep 2008 09:16:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:8921397crispincowan1http://blogs.msdn.com/b/crispincowan/rsscomments.aspx?WeblogPostID=8921397http://blogs.msdn.com/b/crispincowan/archive/2008/09/02/go-ahead-make-my-day.aspx#comments<P style="MARGIN: 0in 0in 10pt" class=MsoNormal><FONT size=3 face=Calibri>This blog is about my security work at Microsoft, not my past work in Linux. However, in a recent blog </FONT><A href="http://etbe.coker.com.au/2008/08/23/apparmor-is-dead/" mce_href="http://etbe.coker.com.au/2008/08/23/apparmor-is-dead/"><FONT color=#0000ff size=3 face=Calibri>“AppArmor is Dead”</FONT></A><FONT size=3 face=Calibri>, Russ Coker basically called me out by citing both this blog and AppArmor in the same post, so I am going to briefly go off topic and talk about Linux.</FONT></P>
<P style="MARGIN: 0in 0in 10pt" class=MsoNormal><FONT size=3 face=Calibri>Russ says that AppArmor is dead, because of the massive </FONT><A href="http://news.cnet.com/8301-13580_3-9796140-39.html" mce_href="http://news.cnet.com/8301-13580_3-9796140-39.html"><FONT color=#0000ff size=3 face=Calibri>layoff</FONT></A><FONT size=3 face=Calibri> from Novell of AppArmor workers in 2007, and SUSE’s recent decision to </FONT><A href="http://news.opensuse.org/2008/08/20/opensuse-to-add-selinux-basic-enablement-in-111/" mce_href="http://news.opensuse.org/2008/08/20/opensuse-to-add-selinux-basic-enablement-in-111/"><FONT color=#0000ff size=3 face=Calibri>add SELinux as an option</FONT></A><FONT size=3 face=Calibri>. He’s right that neither of these events is good for ApArmor, but I think he may be overstating things a little. AppArmor was added as the default security option in Ubuntu and Mandriva Linux, because of user demand for usable security.</FONT></P>
<P style="MARGIN: 0in 0in 10pt" class=MsoNormal><FONT size=3 face=Calibri>In contrast, I suspect that SELinux was added to SUSE Linux because Novell would like to sell more SUSE into US Federal Government accounts, where some of them have mandated SELinux as a requirement. This is actually reasonable, since SELinux is designed for Federal security requirements, and it shows in the </FONT><A href="http://ars.userfriendly.org/cartoons/?id=20080831&amp;mode=classic" mce_href="http://ars.userfriendly.org/cartoons/?id=20080831&amp;mode=classic"><FONT size=3 face=Calibri>usability</FONT></A><FONT size=3><FONT face=Calibri> </FONT><SPAN style="FONT-FAMILY: Wingdings; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-char-type: symbol; mso-symbol-font-family: Wingdings"><SPAN style="mso-char-type: symbol; mso-symbol-font-family: Wingdings">J</SPAN></SPAN></FONT></P>
<P style="MARGIN: 0in 0in 10pt" class=MsoNormal><FONT size=3 face=Calibri>I am no longer involved in the AppArmor project, as I work for Microsoft now, and providing Windows with more usable security is where I put my creative energy. So maybe AppArmor is dying, maybe it isn’t. If AppArmor <I style="mso-bidi-font-style: normal">does</I> die, then in some sense it just makes my job here of enhancing the Windows security value proposition vs. Linux that much easier.</FONT></P>
<P style="MARGIN: 0in 0in 10pt" class=MsoNormal><FONT size=3><FONT face=Calibri>So go ahead, make my day: ignore the popularity of AppArmor in the user community, keep blocking AppArmor from inclusion in Linus’ kernel. If all I have to do is make Windows security easier and more effective to deploy than SELinux, then my job is practically done for me </FONT><SPAN style="FONT-FAMILY: Wingdings; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-char-type: symbol; mso-symbol-font-family: Wingdings"><SPAN style="mso-char-type: symbol; mso-symbol-font-family: Wingdings">J</SPAN></SPAN></FONT></P><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=8921397" width="1" height="1">UAC: Desert Topping, or Floor Wax?http://blogs.msdn.com/b/crispincowan/archive/2008/04/28/uac-desert-topping-or-floor-wax.aspxMon, 28 Apr 2008 20:32:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:8435769crispincowan16http://blogs.msdn.com/b/crispincowan/rsscomments.aspx?WeblogPostID=8435769http://blogs.msdn.com/b/crispincowan/archive/2008/04/28/uac-desert-topping-or-floor-wax.aspx#comments<P class=MsoNormal style="MARGIN: 0in 0in 10pt"><FONT face=Calibri size=3>Is UAC a convenience feature, or a security feature? </FONT><A href="http://snltranscripts.jt.org/75/75ishimmer.phtml"><FONT face=Calibri color=#0000ff size=3>Dessert topping or floor wax?</FONT></A><FONT size=3><FONT face=Calibri> How about both!<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt"><FONT size=3><FONT face=Calibri>Security can be a confusing black art, for both consumers and professionals alike. One reason is in the name of this blog, that insecurity results from imperfection, and we all know how difficult perfection is to achieve. Another reason is because reasoning about the consequences of <I style="mso-bidi-font-style: normal">insecurity</I> involves a great deal of reasoning about the unknown: what can happen to you as a result of a vulnerability? Well, that depends on who knows about it, when they know about it, when they know about it with respect to when some other people know about it, and so forth. Yet another reason is because <I style="mso-bidi-font-style: normal">some</I> security professionals (naming no names) find it to be in their interest to <I style="mso-bidi-font-style: normal">keep</I> security a black art </FONT><SPAN style="FONT-FAMILY: Wingdings; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-char-type: symbol; mso-symbol-font-family: Wingdings"><SPAN style="mso-char-type: symbol; mso-symbol-font-family: Wingdings">J</SPAN></SPAN><FONT face=Calibri> I don’t hold with that: I am a cynic who, following the definition of Ambrose Bierce, prefers to see things as they are rather than as they ought be, and being an ill-mannered brute, I insist on calling a thing what it is, instead of what people wish it was.<o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt"><FONT size=3><FONT face=Calibri>Today’s entry will be about security <B style="mso-bidi-font-weight: normal">values</B>, which is to say what value can you really expect from a given technology, especially the access control technology I work on in Windows. Just to be clear, this blog is <B style="mso-bidi-font-weight: normal">my opinion</B> on what a technology is likely to do, and does not represent any kind of warranty by Microsoft.<o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt"><FONT size=3><FONT face=Calibri>To start, we need to define some terms:<o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt 1in; TEXT-INDENT: -0.5in"><FONT size=3><FONT face=Calibri><B style="mso-bidi-font-weight: normal">Security</B> is the<B style="mso-bidi-font-weight: normal"> </B>preservation of the three properties of confidentiality, integrity, and availability.<B style="mso-bidi-font-weight: normal"><o:p></o:p></B></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt 1.5in; TEXT-INDENT: -0.5in"><FONT size=3><FONT face=Calibri><B style="mso-bidi-font-weight: normal">Confidentiality</B> means that your stuff is not disclosed unless you want it disclosed.<o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt 1.5in; TEXT-INDENT: -0.5in"><FONT size=3><FONT face=Calibri><B style="mso-bidi-font-weight: normal">Integrity</B> means that your stuff is not changed unless you want it changed.<o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt 1.5in; TEXT-INDENT: -0.5in"><FONT size=3><FONT face=Calibri><B style="mso-bidi-font-weight: normal">Availability</B> means that you, your users, customers, etc. can still use your stuff.<o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt 1in; TEXT-INDENT: -0.5in"><FONT size=3><FONT face=Calibri><B style="mso-bidi-font-weight: normal">Security Feature: </B>some kind of feature, widget, or thingie </FONT><SPAN style="FONT-FAMILY: Wingdings; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-char-type: symbol; mso-symbol-font-family: Wingdings"><SPAN style="mso-char-type: symbol; mso-symbol-font-family: Wingdings">J</SPAN></SPAN><FONT face=Calibri> that makes it somewhat more likely that your security, as defined above, will be preserved.<o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt 1in; TEXT-INDENT: -0.5in"><FONT size=3><FONT face=Calibri><B style="mso-bidi-font-weight: normal">Security Boundary:</B> this is a special term to Microsoft. It means that if someone discloses a way to violate a Microsoft-defined security boundary, that Microsoft will release a security patch as soon as possible, so that the method to violate the boundary no longer works against patched systems.<o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt"><FONT size=3><FONT face=Calibri>Clearly, all security boundaries are security features, but not all security features are security boundaries. For an absurd example, hosting your web site on port 43392 instead of port 80 might be a security feature, because many attackers will not look there for a web server, but it is definitely not a security boundary, because an attacker can easily discover your web server running on port 43392 by just looking for it, and Microsoft is not going to issue any kind of patch to address this “problem”.<o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt"><FONT face=Calibri size=3>Now let’s look at UAC (User Account Control) in this context, and see what security values it delivers. UNIX and Linux users have long known that you don’t read mail, surf the web, or IM as root (the UNIX equivalent of Administrator). You don’t do it because if there is a vulnerability in any of the software you are using to surf the Internet, then any malicious content you encounter could 0wn your entire machine. The </FONT><A href="http://theinvisiblethings.blogspot.com/2007/02/running-vista-every-day.html"><FONT face=Calibri color=#0000ff size=3>most important security</FONT></A><FONT size=3><FONT face=Calibri> “feature” that Vista brought to Windows users was the basic proposition that, perhaps, your default user login should not be an Administrator. Running as a non-administrator provides a lot of security value, but how secure it is, and whether it is a security <I style="mso-bidi-font-style: normal">boundary</I> is a complicated question, depending on what kind of account you are using. Pre-Vista, there were three kinds of accounts you would likely use:<o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt 1in; TEXT-INDENT: -0.5in"><FONT size=3><FONT face=Calibri><B style="mso-bidi-font-weight: normal"><I style="mso-bidi-font-style: normal">The</I> Administrator:</B> if you logged in with a user name of ‘administrator’ and then entered a password, you are <I style="mso-bidi-font-style: normal">the</I> administrator.<o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt 1in; TEXT-INDENT: -0.5in"><FONT size=3><FONT face=Calibri><B style="mso-bidi-font-weight: normal"><I style="mso-bidi-font-style: normal">An</I> Administrator:</B> if you logged in with just your own name, your account likely was <I style="mso-bidi-font-style: normal">an</I> administrator. This means you have your own identity, but you have (pretty much) all of the authority of <I style="mso-bidi-font-style: normal">the</I> Administrator. The good part was that you could do anything; install software, administer the firewall, add users, etc. The <I style="mso-bidi-font-style: normal">bad</I> news was that anyone who hacked your web browser, your mail client, etc. could “drive by” hack your machine and install malware, including fully powered </FONT></FONT><A href="http://en.wikipedia.org/wiki/Rootkit"><FONT face=Calibri color=#0000ff size=3>rootkits</FONT></A><FONT face=Calibri size=3>. It also meant that whenever you installed a program, perhaps something as harmless-seeming as some additional emoticons for your chat client, that it might also install some very difficult to remove </FONT><A href="http://en.wikipedia.org/wiki/Spyware"><FONT face=Calibri color=#0000ff size=3>spyware</FONT></A><FONT size=3><FONT face=Calibri>, again possibly including a rootkit.<o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt 1in; TEXT-INDENT: -0.5in"><FONT size=3><FONT face=Calibri><B style="mso-bidi-font-weight: normal">A Standard User:</B> so called because it was <I style="mso-bidi-font-style: normal">supposed</I> to be the “standard” way to use Windows. A standard user may <B style="mso-bidi-font-weight: normal">not</B> install software, manipulate the firewall, or do other things that would compromise the security of Windows.<o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt"><FONT size=3><FONT face=Calibri>Of course, you <I style="mso-bidi-font-style: normal">could</I> run as a Standard User under Windows XP, but few people actually did. This is because it was inconvenient: if you wanted to install software or otherwise administer you machine, you had to <I style="mso-bidi-font-style: normal">log out</I>, exiting all your applications and losing all your state, log back in as An Administrator, do your configuration work, log out again, and finally log back in as a Standard User to finally get back to what you were doing.<o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt"><FONT size=3><FONT face=Calibri>Vista sought to address this situation by introducing UAC (User Account Control) to give you control over which account you are using. Vista added a new kind of account:<o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt 1in; TEXT-INDENT: -0.5in"><FONT size=3><FONT face=Calibri><B style="mso-bidi-font-weight: normal">Administrator running in Admin Approval Mode (AAM):</B> this is kind of a hybrid between A<I style="mso-bidi-font-style: normal">n</I> Administrator and a Standard User. You get a <I style="mso-bidi-font-style: normal">split token</I>, which means you have the credentials of both a Standard User and an Administrator, and the right one is applied depending on what is going on.<o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt"><FONT size=3><FONT face=Calibri>When people think of “UAC”, they often are only thinking of the UAC elevation prompt <I style="mso-bidi-font-style: normal">per se</I>. When you try to do something that requires Administrator privileges while running in AAM, then Vista presents you with a UAC prompting window that tells you what is being attempted, and asks you whether you would like to proceed.<o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt"><FONT size=3><FONT face=Calibri>Vista also provides a UAC feature for Standard Users called the OTS (“Over The Shoulder”) elevation prompt. If you attempt something that requires Administrator privileges while running as a Standard User, then it presents you with a very similar elevation prompt, only this time it also asks for an Administrator’s password. “Over the shoulder” alludes to the idea that the Standard User does not have the Administrator password, and so you have to get your friend the Administrator to come enter it for you. However, in practice it may well be the case that the person using the Standard User account also has the Administrator password.<o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt"><FONT face=Calibri size=3>Finally, Vista provides a </FONT><A href="http://www.tweakuac.com/"><FONT face=Calibri color=#0000ff size=3>Silent Mode</FONT></A><FONT face=Calibri size=3>. Silent Mode is not quite the same as completely disabling UAC. Instead, what it does is automatically approve all of the UAC prompts that would have been presented to you. However, Silent Mode still leaves in place some security features that completely disabling UAC would have removed, such as </FONT><A href="http://www.microsoft.com/windows/products/windowsvista/features/details/ie7protectedmode.mspx"><FONT face=Calibri color=#0000ff size=3>IE protected mode</FONT></A><FONT size=3><FONT face=Calibri>.<o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt"><FONT size=3><FONT face=Calibri>It has been said that UAC’s features are <B style="mso-bidi-font-weight: normal">convenience</B> features rather than security features. What could that mean? Especially since UAC prompts can be quite annoying </FONT><SPAN style="FONT-FAMILY: Wingdings; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-char-type: symbol; mso-symbol-font-family: Wingdings"><SPAN style="mso-char-type: symbol; mso-symbol-font-family: Wingdings">J</SPAN></SPAN><o:p></o:p></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt"><FONT size=3><FONT face=Calibri>It is correct to say that UAC’s features are convenience features, in that it is <B style="mso-bidi-font-weight: normal">much</B> more convenient to respond to a UAC prompt than it is to have to switch to a separate desktop, log in as an administrator to do the administrative tasks, log out and then return to your standard user session. Whether one views a UAC prompt as a convenience or a nuisance depends on whether you compare it against running as a Standard User, or against running as a full Administrator: vs. running as Standard User UAC is a convenience feature that compromises security, but vs. running as an Administrator as was the default in XP UAC is a security enhancement.<o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt"><FONT size=3><FONT face=Calibri>But does that mean that UAC is <I style="mso-bidi-font-style: normal">not</I> a security feature? No. UAC, in all of its forms, including Silent Mode, provides <I style="mso-bidi-font-style: normal">some</I> obstacles to attacks, and so so it is always a security feature. UAC in operation does nothing other than to say “no” to some access requests, and so it cannot be anything <B style="mso-bidi-font-weight: normal">but</B> a security feature.<o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt"><FONT size=3><FONT face=Calibri>But how <I style="mso-bidi-font-style: normal">much</I> of a security feature is it? Does UAC provide a <B style="mso-bidi-font-weight: normal">security boundary</B>? That depends on which kind of user you are using, and how you use it.<o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt 1in; TEXT-INDENT: -0.5in"><FONT size=3><FONT face=Calibri><B style="mso-bidi-font-weight: normal">Standard User <I style="mso-bidi-font-style: normal">Without</I> OTS:</B> this <B style="mso-bidi-font-weight: normal">is</B> a security boundary. There should not be any way for a non-privileged process to elevate to a privileged process, and if someone finds one, then Microsoft should issue a patch. Caveat: this is <B style="mso-bidi-font-weight: normal">excluding</B> mis-configurations such as 3<SUP>rd</SUP> party software running with privilege or weak security settings.<o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt 1in; TEXT-INDENT: -0.5in"><FONT size=3><FONT face=Calibri><B style="mso-bidi-font-weight: normal">Standard User <I style="mso-bidi-font-style: normal">With</I> OTS:</B> this is questionable. There <I style="mso-bidi-font-style: normal">should</I> not be any way to elevate, but in practice the OTS elevation presents <SPAN style="mso-spacerun: yes">&nbsp;</SPAN>potential area of attack. The attacker could inject malicious code into the user’s context, and it may trigger once the OTS elevation completes and the Administrator token is available.<o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt 1in; TEXT-INDENT: -0.5in"><FONT size=3><FONT face=Calibri><B style="mso-bidi-font-weight: normal">Administrator in AAM:</B> this is definitely <B style="mso-bidi-font-weight: normal">not</B> a security boundary. With the Administrator token available in the user’s space, it is too easy for malware to attack something in this very broad attack surface and gain elevation without the user’s approval. Microsoft could not patch this barrier without substantially breaking application compatibility.<o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt 1in; TEXT-INDENT: -0.5in"><FONT size=3><FONT face=Calibri><B style="mso-bidi-font-weight: normal">Administrator in Silent Mode:</B> Not even close to a security boundary. In silent mode, any malware in the user’s processes, such as an infection in the mail client, or in the web browser running at medium integrity, can ask for and <B style="mso-bidi-font-weight: normal">get</B> automatic elevation to Administrator.<o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt"><FONT size=3><FONT face=Calibri>Security is the business of saying “no” on occasion, and so it cannot help but compromise convenience. Thus there is a precisely inverse relationship between the security and the convenience offered by these 4 modes of operation in Vista. Users get to make the choice of which trade off they would like to make between security and convenience.<o:p></o:p></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt"><FONT size=3><FONT face=Calibri><I style="mso-bidi-font-style: normal">Intelligent</I> security design is intuiting what users really need to do, and adapting the system so that it always says “no” to malicious acts, but also says “no” as little as possible, because it knows what the user is going to need to do. Vista/UAC says “no” far too often precisely because the idea of running lots of software without Administrator privileges is new to the Windows community, and so a lot of applications are using excessive privilege that they don’t need. We’re making a concerted effort to reduce the number of unnecessary UAC prompts in the future by improving the middleware and applications software to avoid performing privileged operations as much as possible. Making it possible for everyone to run as Standard User is the real long term security value.<o:p></o:p></FONT></FONT></P><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=8435769" width="1" height="1">uac security boundary vista